Here is my monthly update covering what I have been doing in the free software world during October 2020 (previous month):
- Opened a pull request for libIIO, a cross-platform library for interfacing with local and remote Linux Industrial I/O subsystem devices to make the build reproducible. [...]
As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings and participated in various licensing and other discussions occurring on the internet as well as the usual internal discussions, etc., including continuing 'onboarding' of a new project to SPI.
Addressed an issue filed by Bob Tanner by updating the documentation of my django-slack library which provides a convenient wrapper between projects using the Django and the Slack chat platform. [...]
Opened a pull request against libsass-python (a straightforward binding of libsass for Python, to compile the Sass CSS extensions in Python without the conventional Ruby stack) in order to make the build reproducible. [...]
For Lintian, the static analysis tool for Debian packages, I uploaded versions 2.97.0, 2.98.0, 2.99.0 & 2.100.0 as well as updated the
declares-possibly-conflicting-debhelper-compat-versions tag as we may specify the Debhelper compatibility level in
debian/control (#972464) and dropped a reference to missing manual page [...].
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
perl: Please make the build mostly reproducible. (#972559)
fckit: Please make the build (mostly) reproducible. (#972378)
libgrokj2k: Please make the documentation reproducible. (#972494)
netcdf-parallel: Please make the settings file reproducible. (#972930)
dh-fortran-mod: Please make the output reproducible version graph. (#965255)
Filed a bug against the
emacspackage to make the generated
.elfiles reproducible, a regression that is causing many packages to become unreproducible. (#972861)
Helped draft a mailing list post to update
Categorised a large number of packages and issues in the Reproducible Builds 'notes' repository.
Drafted, published and publicised our monthly report.
I also updated the main Reproducible Builds website and documentation:
- Wrote and published two announcement blog posts regarding the restarting of our IRC meetings. [...][...]
- Added a citation link to the academic article regarding
dettrace[...], and added yet another supply-chain security attack publication [...].
- Reformat Jekyll's Liquid templating language and CSS formatting to be consistent [...] as well as expand a number of tab characters [...].
relative_urlto fix missing translation icon on various pages. [...]
- Add an explicit note regarding the lack of an in-person summit in 2020 to our events page. [...]
Lastly, I made the following changes to diffoscope, including preparing and uploading version
161 to Debian:
- Reviewed and merged functionality from Jean-Romain Garnier to add support for radare, a decompiler/reverse-engineering framework [...] and update debian/tests/control to match [...].
- Update tests to support OCaml version 4.11.1. Thanks to Sebastian Ramacher for the report. (#972518)
- Bump minimum version of the Black source code formatter to
trydiffoscope is the web-based version of diffoscope. This month, I made the following changes:
--help-only test as being a 'superficial' test. (#971506)
- Add a test that interacts with the
debhelpercompatibility level to 13 [...] and bump
Standards-Versionto 4.5.0 [...].
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 2406-1 for
jackson-databind, a Java library for processing JSON, to address an external entity expansion vulnerability.
Issued DLA 2407-1 for
tomcat8, the Java application server. This was to fix an issue where an excessive number of concurrent streams could have resulted in users seeing responses for unexpected resources.
You can find out more about the project via the following video:
6.0.8-2— Apply a patch from Yossi Gottlieb to fix a crash when reporting RDB/AOF file errors. (#972683)
6.0.9-1— New upstream release.
2.0-1) — New upstream release.